[pve-devel] applied: [PATCH proxmox-firewall v3 1/1] service: flush firewall rules on force disable
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Jul 22 17:43:46 CEST 2024
Am 17/07/2024 um 15:16 schrieb Stefan Hanreich:
> When disabling the nftables firewall again, there is a race condition
> where the nftables ruleset never gets flushed and persists after
> disabling.
>
> The nftables firewall update loop does a noop when the force disable
> file exists. It only flushes the ruleset when nftables is disabled in
> the configuration file but the force disable file does not yet exist.
>
> This can lead to the following situation:
>
> * nftables is activated and created its ruleset
> * user switches from nftables firewall back to iptables firewall
> * pve-firewall runs and creates the force disable file
> * proxmox-firewall sees that the file exists and does nothing
>
> Reported-by: Hannes Laimer <h.laimer at proxmox.com>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> Changes from v2 to v3:
> * Use proper debug output formatter
>
> Changes from v1 to v2:
> * Removed misleading/wrong section about the probability of this
> happening
> * Added a detailed description of the scenario this commit prevents
>
> proxmox-firewall/src/bin/proxmox-firewall.rs | 4 ++++
> 1 file changed, 4 insertions(+)
>
>
applied, thanks!
More information about the pve-devel
mailing list